← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #82822

[Bug 1462470] [NEW] pydoc.py uses old netscape navigator

  Thread PreviousDate PreviousThread Next 
Public bug reported:

File :
/usr/lib/python2.7/pydoc.py

line : 2216 ... 2226

pydoc.py uses old netscape navigator when the webbrowser module can not
be imported:

And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter "url".

code :

        def open(self, event=None, url=None):
            url = url or self.server.url
            try:
                import webbrowser
                webbrowser.open(url)
            except ImportError: # pre-webbrowser.py compatibility
                if sys.platform == 'win32':
                    os.system('start "%s"' % url)
                else:
                    rc = os.system('netscape -remote "openURL(%s)" &' % url)
                    if rc: os.system('netscape "%s" &' % url)

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun  5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)

** Affects: python2.7 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386 vivid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1462470

Title:
  pydoc.py uses old netscape navigator

Status in python2.7 package in Ubuntu:
  New

Bug description:
  File :
  /usr/lib/python2.7/pydoc.py

  line : 2216 ... 2226

  pydoc.py uses old netscape navigator when the webbrowser module can
  not be imported:

  And it is vulnerable to shell command injection too,
  because it uses os.system() wich allows shell commands in the parameter "url".

  code :

          def open(self, event=None, url=None):
              url = url or self.server.url
              try:
                  import webbrowser
                  webbrowser.open(url)
              except ImportError: # pre-webbrowser.py compatibility
                  if sys.platform == 'win32':
                      os.system('start "%s"' % url)
                  else:
                      rc = os.system('netscape -remote "openURL(%s)" &' % url)
                      if rc: os.system('netscape "%s" &' % url)

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: libpython2.7-stdlib 2.7.9-2ubuntu3
  ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
  Uname: Linux 3.16.0-24-generic i686
  NonfreeKernelModules: nvidia
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: i386
  CurrentDesktop: MATE
  Date: Fri Jun  5 19:33:43 2015
  InstallationDate: Installed on 2014-11-02 (214 days ago)
  InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
  SourcePackage: python2.7
  UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next